black fishing rod on brown wooden post during sunset
Thu Mar 02

The Principles and Types of Social Engineering in Cyber Security

As technology progresses, security goes along the way and is the main concern. The encryption and two-factor authentication for example, are some of the features which make things quite difficult for the hackers to do their work. More and more security features are also being improved in order to enhance security over the network, as we are getting more attached to the internet. Yet, there is one that is not really changing, thus making it the weakest link in the world of cyber security, the human.

In pop culture, hacking is always shown as someone who gets into the system by working behind their laptop or computer. While this is not entirely false, it doesn’t depict the whole picture. Humans often become the primary target when it comes to compromising the system. Using social engineering techniques, hackers outsmarts and manipulates their victims to do what they want.

**The Principles of Social Engineering **

In the context of social engineering, principles refer to the underlying rules and fundamental concepts which are based on the understanding of human psychology and behavior that are used to increase the likelihood of successful attack.

Authority

The attacker may impersonate or take a role as the authority individual. In this way, the attackers may act as police or IT administrators, convincing you to provide sensitive data or credentials.

Intimidation

Sometimes, subtly manipulating the victim won’t work, hence the attacker may enforce the victim to do what they were asked to. The victims are given the choice and there is a serious consequence if they say ‘no’. These types of attacks can be particularly effective, as the victim may feel as though they have no other choice but to comply.

Consensus / social proof

In essence, the attacker uses the human tendency to conform to social norms to influence their behavior. Thus, the victims may comply with the given request if the attacker successfully makes an impression that an action has been done to another one before, within the same group. For example, we can assume that Alice and Bob are working on the same division. There is a higher chance that Alice will give her credentials if the attacker can convince her that Bob has done the same thing beforehand.

Scarcity

The attacker may create a sense of urgency to convince individuals into taking action. This is often utilized by the marketer and seller as well to let individuals take the action quickly. For example, victims can receive some irresistible offers which are only available in a very limited period of time. The attacker then convinces the victim to give their login credentials in exchange for claiming the offer.

Urgency

This is closely related to the principle of scarcity. Victims are made unaware of the current situation as the attacker is fabricating an emergency situation that needs to be addressed immediately (e.g security breach or critical update). Once they are convinced, they would have no time to think clearly about the actual consequences, and therefore comply with what the attacker wants.

Familiarity / liking

In general, humans prefer things that they are familiar with, known as mere- exposure effect. Human relationships are no different. The attackers know this and therefore may pose as a friend, colleague, or someone that the victim might be close to. Individuals can then be persuaded to divulge sensitive information, such as login credentials and financial information, this way.

Trust

Trust plays an important role to convince and persuade people. Attackers can convey themselves in a friendly and approachable manner to their victim. Once the trust is built, they can convince the victim to do or get what they want.

Types of Social Engineering

There are also many types of social engineering that may be utilized.

**Phishing **

Phishing is one of the most common forms of social engineering and can be delivered in mediums like text and email. This is the technique when the attackers attempt to trick users to give their credentials or any personal and sensitive information.

Websites are the most common to work as a medium to do the trick. In some cases, the phishing website may be easily detected for errors, like typos, broken images, and so on. But still, there are tons which are very difficult to detect. The only way you can detect this error is checking the URL.

The URL may have a very slight difference to the actual trusted company or domain. For example, the malicious actor may use our domain and make a very similar one to trick you, like https://binarite.com or https://binaryte.org (known as typosquatting) and then send the phishing website to your email asking you for your credentials to login.

Phishing comes in many forms.

  • Vishing : using voice or phone calls, the malicious actor can trick the victim to gather some information from the victim.
  • Spear phishing : form of phishing attack where using tailored and customized messages or email to target a very specific individual.
  • Pharming : a technique where the victim is redirected to the bogus website by compromising the victim’s DNS server or manipulating the hosts file.
  • Whaling : another form of spear phishing attack to target high-profile individuals like politicians or celebrities.

Impersonation

The attackers may impersonate the actual trusted company and pretend to act on behalf of it. They may have done some reconnaissance of the victim or the organization where they are targeting. The reconnaissance helps them understand the target so much better, and reduce suspicion by a significant amount.

To carry out successful social engineering attacks, attackers should have a comprehensive understanding of the organization they are targeting. This includes knowledge of the organizational structure, the names of specific individuals and their colleagues, branch locations, and other relevant details. With this information, attackers can even impersonate higher-ranking individuals and issue orders to their victims, potentially leading to compromised security or unauthorized access to confidential information. This technique can be particularly effective as victims may be unaware that they are being manipulated, allowing attackers to extract sensitive information without raising any suspicion.

Pretext

Pretext is also a commonly used technique that goes hand in hand with social engineering attacks, where the attacker creates a false story or introduction to gain the victim’s trust. This technique often involves the attacker pretending to be someone else from a legitimate company, using a medium such as email or phone to make their story more convincing.

Shoulder surfing

Shoulder surfing is the tactic where the attacker covertly observes and gathers sensitive information by simply looking over the shoulder as they are entering their information. Even worse, the employees may possess sensitive company information, yet be unaware of the potential risks posed by unauthorized individuals gaining access to this information. Additional security features such as two factor authentication or centralized user authentication like Kerberos may be helpful in preventing this.

Watering hole

To simplify, a watering hole is the type of attack where the attacker is targeting groups of individuals by infecting the website where those groups are frequently visiting. In a company attack scenario, the attacker may have observed the behavior of their target and contaminate this website rather than penetrating to the network directly. By doing this, the attacker can gain access to the company network through the computer where the victim used to access the website.

Hoax

Hoax is the social engineering tactic with the intention to mislead or give false information to the individuals in hopes of the victims believing it, hence benefiting the attackers. The information is somehow tailored in a way that makes it seem as real as possible, while the fact could be opposite. This type of attack could be massive and widespread.

Spam

Spam is unsolicited and unwanted messages that were sent in bulk that usually appear to come from a legitimate and trusted organization.. Spam may contain various information like commercial advertising or simply phishing attempts to convince you to download malware that were designed to steal your personal information.

Influence Campaign

In today’s world, influence campaigns are the social engineering tactic used to shape and sway people’s opinions, thinking, and behavior to adhere to a particular political ideology. It can take many forms such as propaganda or using social media influencers to convey the message. The intentions vary, from distraction, polarizing people’s opinions, or simply using it for personal gains.

Utilizing bots and automated fake accounts, this tactic can be conveyed much more easily as sharing the information is common now, thus amplifying the effect. This kind of social engineering is very difficult to prevent because it manipulates an individual’s psychology and exploits their bias and beliefs. You may protect yourself by thinking critically, stay informed with the latest events, and verify the source of any information you might have received.

Tailgating

The act of tailgating refers to following the authorized into a restricted area without proper authorization. For example, the attacker can just hang out at the smoking area or canteen pretending that they are on break and just following the actual employees to enter the building. Attacker may also pretend to bring something in his/her hand so the authorized person will gladly help them to hold the door open for them and let the attacker or intruder go inside the restricted area.

Conclusion

In conclusion, social engineering is a technique that exploits the vulnerabilities of human psychology for malicious purposes. As these attacks become more advanced day by day and some are very difficult to detect, it is crucial for individuals and organizations to understand the principles and types of social engineering in order to effectively protect themselves. Being aware of the latest social engineering techniques and trends also help individuals and organizations to take preventive measures, mitigate associated risks and minimize the chances of falling prey to such attacks.

You might like

How to Set Up an NFS Server on Ubuntu

Learn how to set up NFS, a protocol for file sharing over a network. Find out how NFS works, how to configure it on both server and client sides, and how to mount and access shared directories. Click here now to master the basics of NFS, such as how to choose the right options, how to test the connection, and how to deal with user ID mapping!
Network Address Translation Explained

Learn how network address translation (NAT) works and why you need it to connect your private network to the internet and cloud. Discover the different types of NATs and their pros and cons. Read this article and leave a comment.